Hospitality Industry Spotlight by Gamelah Palagonia Senior Vice President, Finex
Hoteliers have long been major hacking targets – a trend that is likely to continue given the volume of credit and debit card transactions the industry processes.
While all business should assess and implement comprehensive privacy and data security policies to ensure adequate protection of sensitive consumer and employee data, the hospitality industry cannot afford not to do so.
Hotels transact business through credit and debit cards, which can be kept on file and accessed multiple times during a guest’s stay. In just one night, payment cards can be used in the restaurant, spa, bar and other guest services. In addition, hotels and restaurants are public environments with little control over their patrons, and employees generally have access to credit cards, guest rooms and other confidential guest information. Moreover, public Wi-Fi service often provided by hotels can inadvertently provide hackers access to unsecured public wireless networks. These practices, coupled with the risk associated with payment card information, make hotels exceptionally vulnerable to hacking, insider threats and cyber security fraud.
Restaurants are particularly vulnerable to the above risks due to high staff turnover combined with lax hiring practices, such as failure to conduct or inadequate criminal and employment background checks. For franchises the risk is more pronounced because they tend to install the same type of POS (point-of-sale) processing system at all their locations, allowing hackers to replicate an attack on all locations once they have gained access to one.
EMV PAYMENT CARDS – THE NEW STANDARD
Nationwide EMV (i.e., Europay, MasterCard and Visa – named for the founding companies that developed the standard) Payment Cards migration is now well underway in the U.S. Major credit card brands have indicated that, as of October 1, 2015, if EMV capability has not been implemented on merchants’ POS terminals, the merchant, not the card issuer will be liable for all fraudulent transactions made on such cards. Today the EMV standard is owned and managed by the equity owners of EMVCo – American Express, JCB, Discover, MasterCard, UnionPay and Visa.
Prior to EMV, magnetic strip credit cards were the standard in the U.S. The band on the back of a payment card is the magnetic strip. The data stored on the magnetic strip is accessed when the card is swiped through a card reader. This technology is highly vulnerable to fraud because the data is static and can be easily cloned. The shift toward EMV cards is therefore intended to prevent fraudulent transactions. Unlike the magnetic strips, EMV cards are embedded with microchips, which are more difficult to replicate, as the microchip creates a unique impression every time the EMV card is used, thus providing an additional form of authentication.
While EMV payment cards are expected to significantly reduce fraudulent transactions at the physical point of sale or ‘cardpresent’ transactions, EMV technology is unlikely to impact internet transactions. Further, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope and, therefore, significant liability still exists for card-not-present (CNP) transactions.
A recent report by Javelin Strategy and Research noted that online fraud rose 79% in the U.K. during the first three years after the country adopted EMV cards, and more than doubled in Australia and Canada after those countries adopted the same technology. This is an important consideration for hoteliers that have a high percentage of online reservation transactions and hyper-connection with third-party service providers, such as booking services, tour operators, technology partners, airlines and travel agents.
According to Javelin researchers, fraud will increase by $200 million by 2018, with in-person card-present fraud at the point of sale expected to decrease by $1.5 billion by that time with EMV adoption. Based on Javelin’s projections, EMV could potentially yield a large net positive result for retailers.
However, businesses would be wise not to gain a false sense of security with EMV adoption. Fraud and credit cards breaches are just one exposure; hoteliers, like other businesses, face many exposures, including denial of service (DoS) attacks, phishing, social engineering, malware, viruses, third-party vendors and rogue employees. Verizon’s 2015 DBIR report indicated that 89% of incidents in the hospitality industry were attributed to POS intrusions and DoS attacks. The percentage of POS intrusions fell from 75% in last year’s report to 51% this year, while DoS attacks have risen sharply from 10% to 38%. DoS attacks have crippling effects by rendering key systems (e.g., websites, booking services and billing systems) unavailable.
On August 7, 2015, a global travel technology company and one of the largest clearing houses for travel reservations confirmed that its systems were breached. As a result, the world’s largest airline carrier, which at one time owned the travel technology company, is reportedly investigating whether hackers moved from that company’s systems into its own computers, as the two companies reportedly share some network infrastructure. The travel technology company’s database is a highly desired target for hackers given that the company holds personal information on more than one billion travelers per year, including a software-as-a-service (SaaS) platform for the hospitality industry. In the event that the company’s platform or any other third-party system upon which a hotel is dependent becomes infected with malware, the potential for cross malware infection exists. For this reason, the hospitality industry must have in place and implement third-party vendors’ policies and procedures.
INCIDENT RESPONSE PLANNING
Unfortunately, even with the best defense mechanisms and risk management controls in place, cyber security incidents and data breaches are likely to occur. Businesses often fail to devise their incident response plan prior to an incident. Without a proper response plan in place ahead of time, it’s extremely difficult to contain or stop the incident once detected and preserve appropriate forensic evidence while working to restore operational continuity.
Incident response planning is even more important for the hospitality industry than for others. According to Verizon’s 2015 DBIR report, in 70% of cases in the hospitality sector, incidents took months or longer to discover. This is a significant contrast to the average Willis North America | September 2015 3 across all industries where 74% of incidents were discovered in hours. The major reason for this delay is that businesses in the hospitality sector are likely to be notified of a breach by an external party, such as law enforcement or a fraud alert, rather than internally. The longer an attack lasts and the longer it takes to discover, the more damaging, harmful and costly it is likely to be, as seen in breaches involving some major retailers.
LAYERING RISK MITIGATION REMEDIES
As hoteliers, retailers and other businesses aim to become more vigilant and increase their defenses, hackers and cyber criminals will innovate and adapt to meet the challenges. For example, in April 2014, hackers unable to directly breach the network of an oil company found an indirect route by reportedly infecting the online menu of a Chinese restaurant that was allegedly popular among the oil company’s employees. It was reported that the workers inadvertently downloaded the malicious code when they browsed the menu and indirectly gave the hackers access to the network.
A layered approach to security, compliance and risk management is necessary in order to mitigate direct and indirect threats and potential loss. In addition to EMV adoption, point-to-point encryption (P2PE), tokenization, third-party vendor management, together with established best practices, can help prevent data breaches, minimize financial losses and may also aide in meeting PCI Data Security Standard compliance requirements.
Use Strong Passwords: It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names, complex passwords and deploy multi-factor authentication (MFA).
Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches.
Install Firewalls: Employ firewalls on web applications to prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.
Use and Update Antivirus Programs: Regularly update antivirus programs to maintain their effectiveness.
Restrict Access to Internet: Restrict access to POS system computers or restrict terminals to POS-related activities only to prevent users from accidentally exposing the POS system to security threats on the internet.
Disallow Remote Access: Cyber criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, disallow remote access to the POS network at all times.
Employee Training: Provide employees with dynamic information security and privacy awareness training, including anti-phishing and social engineering exercises. Employees are the first line of defense and should also be given the ability to quickly report potential issues, activities, circumstances or concerns with ease, such as reporting that an extortion demand was made, without fear, reprimand or retribution.
Incident Response Planning: The primary objective of an incident response plan is to provide a framework to manage a cybersecurity incident, which limits damage, increases the confidence of external stakeholders, and reduces response costs and recovery time. The incident response team (IRT) should practice the plan regularly with table top exercises based on different scenarios.
CYBER AND PRIVACY LIABILITY INSURANCE
Cyber and Privacy Liability Insurance, designed to address many of the cyber risks discussed above, is also a best practice and an important risk transfer vehicle. However, there is no ‘one-size fits all’ product and there is presently no industry standard; each insurer has its proprietary policy form, making Cyber and Privacy Liability insurance a complex specialty product that requires expertise. As such, it is important to select an insurance broker and insurer that concentrates on cyber and privacy risks with dynamic claim management and risk management service offerings.
HOW WILLIS CAN HELP
Our FINEX Cyber broking team is composed of more than 20 professionals with specialized knowledge of the cybersecurity risks and exposures facing companies today. Cyber exposures and the cyber insurance market are dynamic. As a result of our large cyber client base, we are up to the minute with changing exposures and have amassed a body of price, limit, vendor and claim data that supports our clients’ evaluation and decision making as respects cyber risk financial management. Since cyber risks overlap with E&O, media or professional services, our team’s diverse background in these areas provides the insight necessary to address the range of risks often encountered when cyber risk is present. Our cyber experts are recognized in the hospitality industry and are often sought after for thought leadership and new product ideas. Given our expertise and knowledge of the sector, we are able to design innovative programs that specifically reflect the needs of our hospitality industry clients.
Also at the core of our cyber service platform is our proprietary and recently redesigned analytics tool, PRISM IISM, which models the frequency and severity of clients’ privacy loss exposures, and RAPIDSM (Risk Assessment Probability and Impact Diagnostic), which helps clients identify cyber risks within their organizations. The quantitative measurement delivered by PRISM II overlays various risk financing structures to measure the value derived from each structure using our proprietary Comprehensive Cost of Risk tool (CCoRSM). PRISM II is thus designed specifically to help clients make rational, objective decisions regarding privacy breach risk financing issues by using return on capital metrics. Further, with the output generated by PRISM II and RAPID our cyber specialists are able to help clients identify the optimal insurance program structure, as well as analyze and stress test such programs to ensure clients are meeting regulatory and rating agency risk quantification requirements. Further, our robust and proprietary cyber benchmarking database consists of pricing and retention data from cyber clients of every size and industry so that, if desired, our clients can benchmark their purchasing options against those of their peers.
For more information on Cyber and Privacy Liability Insurance, please contact your Willis Client Advocate® or Jamie Sharpe.
View the original article here.